As the user used to connect as a restricted view on the DB tables a very basic check has been added to make sure that a GRANT is set on the tables used during the authentication process. Without that if the GRANT is not correctly deployed it might be considered the OIDC plugin is not present when it is and users with an OIDC account could still use credentials that are not tokens. GRANTs are expected to be always set even for optional plugins such as LDAP or OIDC client (it is already what the initial setup of a Tuleap instance does nowadays) so existing instances will need to update the privileges given to the dbauthuser. This can be done with: GRANT CREATE,SELECT ON plugin_ldap_user TO dbauthuser; GRANT CREATE,SELECT ON plugin_openidconnectclient_user_mapping TO dbauthuser; REVOKE CREATE ON plugin_ldap_user FROM dbauthuser; REVOKE CREATE ON plugin_openidconnectclient_user_mapping FROM dbauthuser; FLUSH PRIVILEGES; Deploying the new GRANT for the plugin_openidconnectclient_user_mapping cannot be automated as it requires a privileged access to the DB. When testing, remember that the Tuleap.pm file needs to be redeployed to /usr/share/perl5/vendor_perl/Apache/Tuleap.pm, that Apache needs to be restarted and that depending on your local setup you might have an authentication cache surviving Apache restarts so the change might not visible immediately. Change-Id: Ie391b2115f2f189e139edca2e551dcd4bfd6f6bf

+83 −1

Author

Thomas Gerbet (tgerbet) 2020-09-23 10:18

Committer

Thomas Gerbet (tgerbet) 2020-09-24 10:55

Hash 7ebf9bf9d3a9474ea77a41fde07d523329f158c4

Parent cf9fa994c5d0e82d921183c75059e9dcd7d8259e

Reference git #tuleap/stable/7ebf9bf9d3a9474ea77a41fde07d523329f158c4